The European Union’s balancing between security objectives and data protection : the case of Passenger Name Record data

University of Twente

Faculty of Behavioral, Management and Social Science Public Governance across Borders

Marie Middelstorb s1819429

_____________________________________

Bachelor Thesis

_____________________________________

"The European Union’s balancing between security objectives and data protection.

The case of Passenger Name Record data”

First Supervisor: Dr. Claudio Matera Second Supervisor: Dr. Pieter-Jan Klok

04

of July 2018

A ABSTRACT

Facing confrontation with a new dimension of security threats resulting from the rise of terrorism and serious organized crime, police and security authorities aspire to intensify international cooperation.

Adjusted collaboration practices involve enhanced exchange of data across borders, which is a practice

causing legal concerns regarding data accessibility and protection. This research aims to investigate the

consistency between external data transfers for the purpose of fighting terrorism and serious crime and

data protection obligations stated in the European legal framework. Since arising discrepancies between

internal and external data safeguards are theoretically possible when data is proceeded to third countries,

the research further intends to draw conclusions on how the European Union balances these against the

pursuit of strategic security objectives. In other words, the European relationship between security

targets on the one hand and data protection obligations on the other shall be outlined. Accordingly, the

main research question studies the extent to which European data protection standards enable

information exchange in the fight against terrorism and serious crime whilst safeguarding personal data

of European citizens. Grounded within legal research, the study is composed of a qualitative, conceptual

research design, that follows explanatory, hermeneutic but also evaluative approaches. It is based on a

case study design stressing controversial transfers of Passenger Name Record (PNR) data. To enter the

PNR case and to answer the research question, information is retrieved from contemporary policy and

regulatory frameworks, in case law and literary analysis by legal researchers.

A TABLE OF CONTENT

LIST OF ABBREVATIONS ... 4

1. INTRODUCTION ... 1

1.1. Research Questions and Methodology ... 2

1.1.1. Main Research Question and Subquestions ... 2

1.1.2. Methodology and Body of Knowledge ... 5

1.2. Key Concepts and Theory ... 6

1.2.3. European Internal Security and Defense Strategy ... 6

1.2.4. Counter-terrorism and Serious Crime ... 7

1.2.5. Passenger Name Record Data ... 8

1.3. Human Rights and Right to Privacy ... 9

1.4. Data Protection ... 10

1.5. Social and Scientific Relevance ... 11

2. DATA PROTECTION AND DATA FLOWS IN THE FIGHT AGAINST TRANSNATIONAL CRIME AND TERRORISM ... 12

2.1. Introduction to Data Protection and Data Flows in the Fight against Transnational Crime and Terrorism ... 12

2.2. Data Protection and Fundamental Rights ... 12

2.3. European Legislative Framework ... 15

2.3.1. Legislation on the Protection of Personal Data ... 15

2.3.2. Directive 2016/680 on Data Protection in the Police and Justice Sector ... 17

2.3.3. The European Approach on Counter-terrorism ... 18

2.4. Data Flows in Security and Counter-terrorism Cooperation ... 20

2.5. Conclusion on Data Protection and Data Flows in the Fight against Transnational

Crime and Terrorism ... 21

A

3. THE EUROPEAN LEGAL FRAMEWORK ON PNR DATA ... 23

3.1. Introduction to the European Legal Framework on PNR Data ... 23

3.2. Legislation on PNR Data ... 24

3.3. Controversy over the Use of PNR Data in Law Enforcement ... 26

3.4. Conclusion on European PNR Legislation ... 27

4. THE JURISDICTION ON EUROPEAN PNR DATA TRANSFER AGREEMENTS WITH THIRD COUNTRIES ... 29

4.1. Introduction to the Jurisdiction on EU PNR Data Transfer Agreements with Third Countries ... 29

4.2. Development of External PNR Agreements with Third Countries ... 30

4.3. Analysis of External PNR Agreements with Third Countries ... 32

4.4. Conclusion on Third Country PNR Data Transfer Agreements ... 36

5. THE CONSISTENCY OF EXTERNAL PNR DATA TRANSFERS WITH EUROPEAN DATA PROTECTION STANDARDS ... 37

5.1. Introduction to the Consistency of External PNR Data Transfers with European Data Protection Standards ... 37

5.2. Landmark Decisions of the CJEU on External Data Processing ... 37

5.2.1. The Schrems Case ... 37

5.2.2. Opinion 1/15 ... 39

5.2.3. Implications on PNR Data Processing Emerging from Opinion 1/15 ... 42

5.3. Conclusion on the Consistency of External PNR Data Transfers with European Data Protection Standards ... 44

6. CONCLUSION ON INFORMATION EXCHANGE ... 46

BIBLIOGRAPHY ... 49

ANNEX ... 55

A LIST OF ABBREVATIONS

AFSJ Area of Freedom, Security and Justice

API Advanced Passenger Information

CFREU Charta of Fundamental Rights of the European Union

CFSP Common Foreign and Security Policy

CJEU European Court of Justice

EU European Union

ECHR European Convention of Human Rights

ECTC European Counter Terrorism Centre

ECtHR European Court of Human Rights

EEA European Economic Area

ENTER European Network of Experts on Radicalization

ICT Information and Communication Technology

IDPC Irish Data Protection Commissioner

ISS Internal Security Strategy

JHA Justice and Home Affairs Council

MEP Member of the European Parliament

MOU Memorandum of Understanding

NGO Non-governmental Organization

PIU Passenger Information Unit

PNR Passenger Name Record

TEU Treaty on the European Union

TFEU Treaty on the Functioning of the European Union

UDHR Universal Declaration of Human Rights

US United States

1. INTRODUCTION

“In the face of a multiform terrorist threat directly targeted against our values, we reaffirm our unfailing solidarity and our determination to fight together against terrorism […] in accordance with human rights and fundamental freedoms.” (Council of Ministers, 2015). This statement was issued jointly after the crisis meeting of the interior ministers in light of the terrorist attacks in Paris in 2015. It stresses the new European security agenda resulting from the increased terrorist threat in Europe, marking a turning point on Europe’s Internal Security Strategy (ISS). Simultaneously, it demonstrates the European commitment to the protection of fundamental human rights according to values and principles emerging from key legal frameworks, for instance from Article 8.2 of the European Convention for the Protection of Human Rights and Freedom (ECHR, 1950).

However, the envisaged interests are partly conflictual, despite both having legitimation (Asinari &

Poullet, 2004). In the past decade, legal challenges on the security of European citizens’ data emerged from the rise of technological development. In the digital age, advanced IT systems daily collect an extensive number of individuals’ private data. This creates supplementary opportunities for public authorities to face terrorist and criminal threats, including integrated cross-border information sharing between national security departments. Thus, data that was gathered by one country, is processed and retained by different nations’ security authorities. The practice extends the opportunistic scope of law enforcement authorities, but simultaneously increases the risk for creating an Orwellian society characterized by mass-surveillance and bulk data traffic. Public awareness on this has been raised in recent years resulting in more concerns about the accessibility of individual’s personal data (ICO, 2015).

To keep up with the altered settings of a data-driven society, the European Union (EU) introduced a

revised set of secondary law in 2016, which redefines the European legal framework on the processing

of personal data. The reform package is officially promoted as “an essential step to strengthening

citizens' fundamental rights in the digital age” (Commission, 2017a). A significant amount of data from

European citizens is, however, not only shared across Member States but transferred to third countries,

whose legal standards of data protection may differ considerably from European safeguards. To illustrate

how such cross-border data sharing with third countries for public security purposes is consistent with

data safeguards emerging from the European regulatory framework, the specific case of Passenger Name

Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offenses and

serious crime will be investigated in detail. To analyze the scope of PNR data transfers in a

comprehensive manner within the case study, the EU internal and external dimensions of such data

proceedings are addressed separately.

1.1. Research Questions and Methodology

The study aims to provide a contribution to the discussion about the level of protection of EU citizen’s personal data in third countries. Does the data maintain its level of protection when being transferred to Non-European countries or do data transfers entail shortcomings of this standard? What does the answer imply for the European approach on counter-terrorism and crime detection? To approach these questions, the study scrutinizes the balance between adequate protection of personal data, including maintenance of protection standards when data is proceeded across EU-borders and security objectives.

This is done based on an evaluation of the consistency between external data transfers for security purposes and intra-European standards on privacy and data protection. Thereby, the research follows a top-down approach, starting with the examination of strategic rationales of data utilization in the field of law enforcement, before shifting emphasis to PNR data proceedings within a case study design. PNR data is increasingly central to the debate about safeguards for external data proceedings, especially since the European Court of Justice (CJEU) issued Opinion 1/15 on the draft agreement for PNR data transfers between the European Union and Canada. Based on the findings from the case-study, the consistency between external data transfers and internal protection standards is assessed before a conclusion on the delicate balance between both rationales is drawn.

1.1.1. Main Research Question and Subquestions The study is based on the main research question (RQ):

RQ: To what extent do European data protection standards enable external data proceedings in the fight against terrorism and serious crime whilst safeguarding personal data of European citizens?

The main research question incorporates characteristics of an explanatory and hermeneutic question (Matera, 2016). It aims to outline the relationship between public security and personal data protection in examining the balance between these two in the context of international PNR data transfers. For this purpose, the study examines the extent to which provisions on privacy and data protection allow the EU and its Member States to share personal information with third countries in the law enforcement sector.

Four subquestions (SQ) were identified to frame a consistent answer to the main research question.

SQ1: Which protection standards apply on the processing of personal data in the European security environment and how do they affect counter-terrorism cooperation with third countries?

The first subquestion is composed of explanatory and logical characteristics (Matera, 2016). It provides

knowledge on the legal background applicable for data proceeding methods in the law enforcement field

and, hence, forms the foundation for the subsequent research. Moreover, it engages the practical effects

of data processing legacy on bilateral counter-terrorism cooperation between European and third country’s security authorities.

Firstly, the subquestion shall demonstrate the humanitarian basis of data protection through the investigation of universal principles, that are embedded in fundamental rights (section 2.2). To enhance the human rights perspective, implications emerging from international law, for instance Article 8 ECHR, are scrutinized. Thereafter, the European legislative framework on the protection of personal data is tackled (section 2.3). EU legislation on the protection of personal data is tackled more broadly before the focus is shifted to specific laws on data protection in the police and justice sector. In this context special emphasis lies on Directive 2016/680. As cross-border data proceedings largely fall within the scope of security cooperation, the character of the European law enforcement strategy is discussed subsequently.

Secondly, for the introduction of the practical dimension, the subquestion targets the analysis of implications emerging from EU protection obligations on data transfers in the sphere of counter- terrorism cooperation between the European and international judicial bodies (section 2.4). In this aspect, the relationship between the EU and the United States (US) deserves special attention. The fundamental differences between the countries approaches on data protection illustrate how European core values clash with external partner’s viewpoints despite sharing the common goal of ensuring security. Besides, relationship is traditionally close and impacts the European security cooperation with other countries considerably (Argomaniz, 2009).

SQ2: What is the existing regulatory framework on PNR data within the EU and does it provide sufficient protection safeguards?

The second subquestion combines attributes of explanatory research with a hermeneutic approach (Matera, 2016). Emphasizing three significant aspects of PNR data jurisdiction is an essential element of this chapter which aims to introduce the status of PNR data legislation within the EU. The aspects include general knowledge about PNR data (I), the current regulatory framework as part of the data protection reform package (II) and the sufficiency of data protection safeguards inhabitant in European PNR legislation (III).

To tackle the subquestion, the relevance, background and utilization of PNR data are approached for

making an explanatory starting point in the introduction (section 3.1). This includes, inter alia, further

links on how the data is embedded in the European security strategy and how the share of bulk mobility

data improves counter-terrorism operations throughout the Member States. Providing a comprehensive

overview on internal PNR policy, Directive (EU) 2016/681 as the current regulatory framework is

illustrated (section 3.2). Thereby, legal instructions that have been imposed in CJEU case-law shall be

analyzed considering the main reasons underlying such modifications. Afterwards, the chapter outlines reservations on the sufficiency of data protection safeguards as embedded in Directive (EU) 2016/681 (section 3.3).

SQ3: Which principles for international data transfers emerge from PNR agreements between the EU and third countries?

Following the character of an explanatory, hermeneutic and logical typology (Matera, 2016), the third subquestion introduces the external dimension of PNR data. As a starting point, the development of bilateral PNR agreements concluded between the EU and third countries is presented by scrutinizing the main factors that have led to changes in the agreement’s history (section 4.2). To explain the dominant data protection principles shaping the processing of PNR data from a juridical point of view, the current bilateral agreements between the EU and third countries are then analyzed (section 4.3). The key interest here lies in the factual level of data protection provided for in the bilateral agreements. A methodological framework categorizes the main elements of the PNR agreements, such as provisions on the data retention period, in order to structure the analysis in a comprehensive manner. The framework allows the chapter to compare the agreements directly as well as to detect non-evident restrictions on fundamental rights that may arise from legal derogations.

SQ4: To what extent are external PNR data transfers for security purposes consistent with European data protection standards?

The final subquestion conflates the knowledge from the former questions by linking internal EU data

protection and privacy standards to external PNR data proceedings with third countries. It explicitly

combines the findings on data protection safeguards in the law enforcement sector as conditioned within

the European legal system (subquestion 1-2) with exchange practice determined by the third-country

PNR data transfer agreements (subquestion 3). In addition, the subquestion provides the final element

for scrutinizing consistency on a comprehensive basis by evaluating implications on external data

proceedings emerging from two crucial landmark decisions by CJEU. In other words, it aims to assess

the extent to which intra-European PNR data regulations are consistent with legal safeguards of third

countries receiving PNR data from European authorities. Given this, it unites characteristics of

evaluative, explanatory and hermeneutic types of legal research (Matera, 2016). The argumentations of

interest given by the CJEU relate to the Schrems case and Opinion 1/15. Because the subquestion’s

emphasis is put on PNR data, it builds on the findings of the Opinion and outlines implications on

security-related data flows outside of the EU (section 5.2). Thereby, legal challenges on the right to data

protection are addressed, which finally enables the subquestion to tackle the question of consistency and

to answer whether PNR data flows outside of the EU respect data protection standards emerging from the Treaties and the CFREU. This step represents the evaluative manner of the question.

In the subsequent chapter an answer the main research question is concluded. Based on the findings of the former chapters, it reveals if EU standards on the protection of personal data constitute an obstacle for the proceeding of data to third country’s security and police authorities.

1.1.2. Methodology and Body of Knowledge

Following a systematic approach, the study examines the extent to which personal data retains its level of protection provided for by EU law, when it is being proceeded to third country’s security authorities.

Such external information proceedings disclose crucial areas of tension since legal frameworks in terms of privacy regulations and safeguards in data-receiving third countries may differ considerably from strict standards prevalent in the EU. Given these discrepancies, personal data may loose its protection standard guaranteed within the EU once it is proceeded externally. Although the EU tends to attach importance to the compliance of third countries with foreign data protection standards, the assessment is influenced by the pursuit of security objectives, including the prevention of terrorist threats and serious criminal offenses. Given this, this study shall evaluate how objectives emerging from European ISS are proportionate to compliance with data protection provisions. This reflects the balance between two conflicting leitmotivs, public security and data protection. Balance in its meaning does in this case not refer to trade-offs between the motives. Rather it is about the EU establishing an equilibrium to the forces of security and data protection, which combines the challenges within the relationship the best way possible. This is essentially done through a careful regulation of different policies which in the end shall reconcile the powers in line with the European rule of law. By examining external PNR data proceedings for law enforcement purposes, the study aims to clarify how the progress of finding an equilibrium between security and data protection may proceed. In recent years, PNR data proceedings have become an increasingly popular measure in the fight against terrorism and serious crime because it allows police authorities to monitor air travel on the grounds of big data. Critical voices are however concerned about bulk collection of non-suspect’s reference and long retention periods emerging from the practice. Given such reservations, the legislative grounds of PNR data utilization were recently challenged in front of the CJEU. This assigns the matter with great relevance and allows further reflections on the future course of reconciling security and privacy interests in light of the study’s main research question.

Throughout the study, an answer to the main research question is developed based on four subquestions.

These do not only combine explanatory and hermeneutic characteristics but also touch upon logic and

evaluative research approaches as well. Each subquestion stresses certain aspects with relevance for the

conclusion of the main research question. These aspects are analyzed based on the interpretation of

application and development of regulatory frameworks, case law and legal principles of the EU.

Information is gathered from a set of different origins including European primary and secondary law, policy papers, case law and independent analysis by legal researchers. Since the study is classified within the field of legal research, a qualitative, conceptual research design is key to conclude an answer to the main research question. The relationship between public security and the protection of individual’s private data within the EU is primarily addressed in the first subquestion, whereas the case-study on PNR data is embarked in the second and third subquestion. Thereby, the EU internal dimension of PNR data is emphasized in the second subquestion and the external dimension in the third subquestion. The fourth subquestion is designed to draw inference on PNR data practice based on the combination of findings derived from the former subquestions. This enables the question to conclude if discrepancies between internal and external data safeguards exist, or in other words, if PNR data transfers for security purposes are consistent with EU privacy and data protection standards. For answering the main research question in the end, the outcome of the fourth subquestion in terms of consistency is crucial. In case discrepancies on protection safeguards occur when PNR data is transferred externally, the evaluation of the EU’s balancing between security objectives and data protection regulations is different to when no inconsistencies transpire. Given the event that European standards on data protection are not fully applied on data proceedings to third countries, the study will reflect on the question whether they can be considered an obstacle to security cooperation. However, if external PNR data transfers are fully consistent with European data protection standards, legal instruments for maintaining the status in the future shall be outlined in the conclusion. In any case, to ensure that a comprehensive picture is provided, policy recommendations for future legal frameworks on PNR data usage for security aims are presented.

1.2. Key Concepts and Theory

The main research question entails security and privacy as central analytical concepts, which are presented and discussed in the following. Given the need of the EU to reconcile security objectives and fundamental rights, whilst respecting ethical provisions and conformity with the law, the significance that derives from the balance of both concepts, security and privacy, becomes evident. The subject is not only characterized by high complexity, but also demonstrates great sensitivity arising from public reservations on the proceeding of PNR data. In the following security and privacy shall be subject of conceptualization and theoretical review. The terms outlined in relation to security are: European internal security and defense strategy, counter-terrorism and serious crime and PNR data. In relation to privacy, the section clarifies: Human rights, right to privacy and data protection.

1.2.3. European Internal Security and Defense Strategy

The scope of all strategic actions is based on the legal provisions stated in the Treaty on the European

Union (TEU) and Treaty on the Functioning of the European Union (TFEU). The competences to adopt

measures within the area of security and defense are divided between supranational governance in the

Area of Freedom, Security and Justice (AFSJ), stipulated in the Treaty on the Functioning of the

European Union and intergovernmental structures prevalent in the Common Foreign and Security Policy (CFSP).

The AFSJ includes several policy domains, for instance, in the field of border policies, counter-terrorism and police and justice cooperation. This diversity in policy fields emerged from the extensive institutional development the AFSJ has undergone and results in an extremely broad and heterogenous scope as Kaunert et al. (2014) note. It shall ensure a maximum of security across all Member States in times of increasing vulnerability of core European values that is a result of rising threats of terrorism and crime. The recent terrorist attacks throughout Europe have brutally demonstrated this vulnerability and reopened discussions about security strategies. Thus, the EU ISS, which poses the latest formulation of strategy in the AFSJ field, aims to set out a common security model throughout the EU. It is composed of legislation and operational measures intended for responding to severe criminal actions. The security model promoted is characterized by strong “commitment to a mutually reinforcing relationship between security, freedom and privacy, and based on prevention, cooperation and solidarity between Member States […] and greater interdependence between internal and external security.” (European Parliament, 2015a). The ISS does further stress the significant role of comprehensive, innovative and flexible measures with regards to the protection of European citizens. The key instrument for organizing an effective protection is however cross-border cooperation in terms of law enforcement, border management and civil protection. Cooperation efforts have always been particularly relevant for responding to criminal threats on the European level, especially in order to tackle security gaps deriving from free movement within the Schengen area (Wittendrop, 2016).

1.2.4. Counter-terrorism and Serious Crime

The European security environment has undergone extensive changes since 9/11. Prior to the attacks, the work of the Justice and Home Affairs Council (JHA) was mainly dominated by tackling organized crime, including for instance the trafficking of drugs or human beings. Terrorist threats were recognized, but not addressed within respective JHA action plans. In the aftermath of the 9/11 events, the long-term acceleration of European capacities to develop a cohesive and unified political-military power were addressed extensively (Golino, 2002). Correspondingly, the EU has identified the terrorist threat as one of the most pressing challenges and participates as an active player in countering it. As a matter of fact, some scholars declare contemporary terrorism as the most important of various key threats to the EU (Chirlesan, 2015; Dumitriu, 2004). Potemkina (2017) argues, however, that despite increased efforts taken with regards to European counter-terrorism measures, the diverging priorities prevalent within the European institutional framework result in biased implementation of anti-terror policies. Whilst the European Parliament and the public opinion have a rather critical stance towards additional rights restrictions for security purposes, the Commission follows a more liberal approach in the field.

Potemkina’s argument corresponds with Leonard’s (2010) view, who notes that only a limited number

of European counter-terrorism initiatives has made substantial contribution to the fight against terrorism.

Because no universal definition for terrorism exists, it is dependent on the researcher what to include in the concept. According to the North Atlantic Treaty Organization (NATO) terrorism is defined as “[t]he unlawful use or threatened use of force or violence against individuals or property in an attempt to coerce or intimidate governments or societies to achieve political, religious or ideological objective” (NATO, 2014). At the European level, Article 1 of framework decision 2002/475/JHA defines terrorist offenses in aftermath of the 9/11 attacks “as a combination of: objective elements (murder, bodily injuries, hostage taking, extortion, committing attacks, threat to commit any of the above, etc.); and subjective elements (acts committed with the objective of seriously intimidating a population, destabilising or destroying structures of a country or international organisation or making a government abstain from performing actions).” (Council, 2002).

In 2005 the EU counter-terrorism strategy stated four pillars for the fight against terrorism. These pillars target a strategy consisting of prevention, protection, pursuit and response (Council, 2005). The second pillar, protection, intents to ensure security not only for individuals but also for infrastructure. It includes improvements on transport security, which links it to the utilization of PNR data in aviation. Moreover, the EU counter-terrorism strategy fosters global engagement between public authorities, for instance, in terms of intensified dialogue and capacity-building. The list of measures enhancing cooperation efforts is correspondent with the ISS. The most relevant actors in managing internal and external anti-terrorism measures include, amongst others, the European Network of Experts on Radicalization (ENER), the European Defense Agency and Europol. The latter has established the European Counter Terrorism Centre (ECTC) in 2016, improving the organization of international cooperation among several counter- terrorism authorities and boosting European engagement in the global fight against terrorism.

1.2.5. Passenger Name Record Data

Cooperation in the security environment is required to address unwanted cross-border mobility of

terrorist adequately to ensure a maximum level of public security. One suitable tool to encounter the

issue and prevent security gaps is the utilization of PNR data for law enforcement purposes. PNR data

includes a total of 34 areas of data, inter alia, information about contact details, means of payment,

travel dates and itinerary and required when purchasing an airline ticket regardless of the tendering

airline. PNR data developed in American security authorities resulting from internal restructuring

operations after the 9/11 attacks (Balzacq, 2008). In the Schengen area, the data is crucial for

counterbalancing the international organization of terrorism and severe criminal threats, that tend to

benefit from abolished border controls. Regarding the processing of PNR data, the Council highlights

the improved measures in law enforcement for the identification of suspects, investigations and

prosecutions. International security authorities can, with the aid of predefined risk criteria, use PNR data

to detect “persons unsuspected of crime or terrorism before a specific data analysis would show they

might be.” (Council, 2017).

1.3. Human Rights and Right to Privacy

As codified in Article 2 TEU, the European Member States are subject to legal obligations deriving from various international human rights frameworks. The most prominent of theses treaties is the United Nations’ Universal Declaration of Human Rights (UDHR). Published long before the digital age, it emphasized special protection for the privacy and family life of individuals in 1948:

Article 12

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks. (UDHR, 1948).

Article 12 carries considerable weight regarding modern legislation on privacy and can be viewed as the leading legal framework. The obligations stated in Article 12 ensure the protection of an individual’s privacy from external intrusion of other individuals or the state. The right to privacy thereby safeguards key democratic values including human dignity, autonomy and freedom of speech (Privacy International, n.d.). In 1950, the European Convention of Human Rights (ECHR) adopted the principles applicable for the protection of privacy:

Article 8 - Right to respect for private and family life

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. (ECHR, 1950) .

Throughout past jurisprudence the European Court of Human Rights (ECtHR) has clarified that states are not only obligated to prevent the violation of principles emerging from Article 8, but that they are also required to actively ensure respect for private and family life. However, despite being considered as a fundamental human right, the right to privacy is not absolute, which makes it subject to balance against other rights or interests under certain circumstances.

Within the European Union, Article 7 of the Charta of Fundamental Rights of the European Union

(CFREU) serves as the legal basis for the protection of privacy:

Article 7 – Respect for private and family life

Everyone has the right to respect for his or her private and family life, home and communications. (CFREU, 2000).

Yet, the right to privacy is viewed as “one of the most important human rights issues of the modern age.” (Privacy International, n. n.). This is mainly because of rising legal uncertainties and privacy concerns regarding the full compliance of information sharing on the internet with the right to privacy as defined in international law. Besides, enhanced mass surveillance and data analyzation practices by governmental authorities have triggered questions of legitimacy and respect to the rule of law in terms of privacy. For this study the reference to security threats made by many European security authorities to justify intensified surveillance powers is key, because of its suitability to PNR data collection and proceeding.

1.4. Data Protection

Data protection is closely intertwined with the right to privacy. Primarily, it prevents data from being lost or misused by public or private entities (Blasi-Casagran, 2017). The CFREU provides the following definition for the protection of personal data:

Article 8 – Protection of Personal Data

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.

Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. (CFREU, 2000).

With view to the European treaties, data protection rights are guaranteed under Article 16 of the Treaty on the Functioning of the European Union:

Article 16 (ex Article 286 TEC)

1. Everyone has the right to the protection of personal data concerning them. (TFEU, 2012).

The terminology “personal data”, stated in Article 16.1 TFEU, is subject to precise definition in Article 4 of Regulation (EU) 2016/679, also referred to as General Data Protection Regulation (GDPR).

Accordingly, personal data is any information relating to an identified or identifiable natural person,

also referred to as data subject. Reconsidering the scope of PNR data in light of this study, it becomes apprehend that the data protection provisions stated in the GDPR are applicable for PNR data. Besides personal data, so-called sensitive data is differentiated in the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108). It concerns data on an individual’s race, politics, health, religion, sexual life or criminal record, which requires enhanced protection and is therefore subject to a specified legal regime. Information gathered under PNR can easily be conflated so that conclusions may be drawn on individual’s sensitive data (EDRi et al., 2015).

Addressing the concept is, therefore, crucial to foster a comprehensive understanding for critical views on handling PNR data within the study.

The purpose of this research is to investigate the interconnectedness between the concepts related to security and privacy as outlined above. It addresses how security practices utilized by public authorities provide room for clashes with obligations on privacy and data protection. The case of PNR data in countering security threats illustrates the European predicament in a comprehensive manner. It is eligible for identifying precisely where security objectives may come into conflict with provisions deriving from the European legal and regulatory framework on data protection.

1.5. Social and Scientific Relevance

Considering that the relevance of data flows within the security environment has been outlined previously, this section intents to highlight the significance of PNR data. With the revised set of regulations on the protection of data that entered into force in May 2018, the EU adopts primary law on PNR data for the first time after failed attempts in 2011. For many years, security experts have argued in form of the harmonization of Member States’ national provisions regarding the proceeding and retention of PNR data. Directive (EU) 2016/681 finally establishes a legal basis for the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offenses and serious crime. It adopts mechanisms that support public authorities in countering the threat posed by terrorists and their increased mobility. This step effectively results from the terrorist attacks in Europe in the past years.

Furthermore, PNR data regained broad attention in 2017 after the CJEU declared the negotiated PNR

data transfer agreement between the EU and Canada invalidated. The judgment does not only affect the

envisaged agreement but has further implications on the existing agreements with the US and Australia,

future negotiations on additional PNR agreements and to some extent even on the PNR Directive. All

in all, the EU will be required to reconsider its current approach on PNR data according to the evaluation

of the CJEU. Any policy adaptions will in this context foster changes to the balance between the two

main objectives, security and data protection. Due to the altered conditions, former research in the field

of PNR data requires revision that includes contemporary perspectives on the subject.

2. DATA PROTECTION AND DATA FLOWS IN THE FIGHT AGAINST TRANSNATIONAL CRIME AND TERRORISM

2.1. Introduction to Data Protection and Data Flows in the Fight against Transnational Crime and Terrorism

After having approached the study’s background in the introductory chapter, this chapter targets on concluding an answer to the first subquestion: Which protection standards apply on the processing of personal data in the European security environment and how do they affect counter-terrorism cooperation with third countries? The question outlines the European legal background on data protection by emphasizing the protection of personal data that is being transferred between judicial bodies in the fight against transnational crime and terrorism. In addition, it stresses practical implications on security cooperation between the EU and third countries resulting from European privacy obligations.

As a starting point, the first section of this chapter introduces into the foundations of data protection (section 2.2). Thereby, reference is made to the legal framework stated in human rights law, which has been utilized previously for the definition of privacy and data protection. The subsequent section then gives a general overview on the European legislative framework on internal data protection obligations, including special regulations applicable in the police and justice sector (section 2.3). Additionally, the European law enforcement approach on countering the terrorism threat is analyzed. On that basis, the practical dimension of data protection within the security environment is pointed out afterwards (section 2.4). Finally, a conclusion to the first subquestion is formulated in the last section by considering the findings on existing internal EU data protection standards as well as on counter-terrorism approaches and reflect on their effects with regards to cooperation with third states’ security authorities (section 2.5). The findings will benchmark the rest of the study as they approach not only PNR data but also general information exchange practice between security authorities. This is crucial for testing the consistency between external data transfers for security purposes and intra-European data protection regulations and thus for concluding an answer to the main research question.

2.2. Data Protection and Fundamental Rights

When converging data protection with regards to the concept’s embeddedness in fundamental rights, privacy must be approached additionally in the interest of completeness. Being closely affiliated, both rights are aiming to preserve related human rights and freedoms, for instance the right to free speech or the freedom of religion. There are however some distinguishing aspects, that require further discussion.

Privacy, in the notion of human rights, refers to the protection of a third actor’s inference or attack on the individual’s personal sphere. Stated in Article 12 UDHR, privacy is internationally recognized as a fundamental, human right. Consequently, most nations have incorporated the protection of “private life”

from external interference in their national constitution. Unlike privacy, data protection is not accepted

as a universal right amongst the international community. It evolves from the right to privacy but is

more specific in its scope since referring to the online sphere primarily. Within this scope, it includes

any personal information to be found on the internet, that relate to a natural person directly or indirectly.

Besides contact details or image and video material, the protection also comprises technical information such as the respective IP address. Importantly, an adequate level of protection entails fair collection, use and storage of personal information, but does not generally prevent such measures. This is because data protection, as well as privacy, are not absolute rights. Consequently, their scope of application is subject to legislative and judicatory interpretation. In confrontation with other EU key values, human and fundamental rights and public or private interests, a balancing against data protection and privacy may be possible. Thus, in presence of special circumstances, such as security concerns, restrictions on data safeguards may be established in in favor of conceding counterbalancing measurers to guarantee public security.

Within the European Union, limitations may be imposed only through legal acts implementing Article 16 TFEU and in respect of the CFREU. In non-EU countries, the respective interpretation within the legal system is, however, crucial in determining the national standards of data protection. As this interpretation differs considerably amongst the international community, the extent to which data is effectively protected is highly variable. Traditionally, governments are balancing interests in favor of either civil rights and liberties, privacy in this case, or security objectives. Depending on the key elements determined in the government strategy, one of the goals is either prioritized. Moreover, the extent to which each subjective is pursued is often subject to cultural preconditions. Evidence on this is most prominently preserved by the different privacy approaches held by the US and the EU. In the past, the transatlantic relationship has respectively been fraught with conflicts resulting from emerging disparities in the legal regimes. Case law, for instance in the aftermath of the Snowden revelations, has provided further evidence that the US tend to adjudge in favor of national privacy whereas the EU demonstrates a more accommodating position on unrestricted compliance with privacy and data protection (Dimitrova & Brkan, 2018).

In the EU, data protection has evolved from being a rather economic concept to a human right in the past decades (FRA, 2010). Especially due to altered technological conditions in the digital age, the issue has been placed on top of the political agenda. Having held high standards on data protection before, the EU lives up to its pioneering role in the field by establishing a clear commitment to the right to data protection in the modernized set of data protection legislation, which have entered into force in May 2018. While the provisions of Directive 95/46/EC were not yet framed in relation to the individual’s right to data protection, the revised EU policy on data protection, the General Data Protection Regulation initially states:

Article 1 – Subject matter and objectives

This Regulation lays down rules relating to the protection of natural persons with

regard to the processing of personal data and rules relating to the free movement of personal data. (GDPR, 2016).

The overall legal basis for the application of European data protection legacy is enshrined in Article 8 CFREU and Article 16 TFEU. Member States are legally bound to ensure the fundamental right to adequate protection of personal data according to the obligations emerging from the frameworks. In contrast to most human rights frameworks, the CFREU incorporates a division between privacy and data protection that was recognized in 2000 following a recommendation by the Article 29 Data Protection Working Party (Article 29 Working Party, 1999). The stand-alone right of data protection stated in the framework emerges from a set of factors, listed in Article 8 CFREU. Accordingly, the proceeding is required to be fair and to have a specific purpose on the consent of the person concerned or another legitimate basis laid down in the law. Additionally, the access and rectification must be ensured as well as control measures by an independent authority. Regardless of the context and domain (public or private sector), the individual is guaranteed the right of full control over his or her personal data.

On the basis of these provisions, the following principles can be identified for the protection of personal data in the EU (McDermott, 2017). The first principle, autonomy, is determined in relation to the right to full control over one’s personal data. It targets to safeguard self-identity and human dignity by ensuring free and independent data handling for European citizens. Secondly, the principle of transparency stresses a rather practical dimension. Individuals are entitled to be informed about the nature and extent of data collection, utilization and consultation (EDPS, n.d.). Moreover, details regarding the processing of personal data must be openly accessible, clear to understand and retractable for the data subject. Finally, the principle of non-discrimination aims on excluding the effects of race, ethnicity, nationality, religion or sexual orientation from the processing of data, although providing legal space for profiling. In the CJEU judgment in Case C-524/06, the significance of the principle was confirmed by the highest legal authority the EU (Huber v Federal Republic of Germany, 2008).

Irrespective of the specific context, the detected principles apply on the absolute number of data

proceedings in the EU. They have universal validity provided that the transfer is conducted within the

EU internal dimension. As the study, however, aims to analyze the consistency of data transfers from

the EU to third countries with data protection obligations emerging from the European legal framework,

it extends the scope of data proceedings. When it comes to the introduction of the external dimension of

data transfers, it may therefore be that the principles discussed with regards to the EU may not entirely

comply to the essence of data protection in third countries. This must be noted for the further progress

of the study.

2.3. European Legislative Framework

After having outlined the humanitarian basis of privacy and data protection, the EU legislative framework on data protection and data transfers shall be addressed in detail in the next section.

Analyzing the specific provisions according to the contemporary European regulatory framework facilitates further elaboration on the protection standards for data proceedings and how they have evolved. Firstly, section 2.3.1 studies EU policies on data protection in a broader sense to provide a coherent basis of knowledge, before the focus is brought on data protection legislation applicant in law enforcement (section 2.3.2). Since the adoption of the new data protection package, Directive 2016/680 on Data Protection in the Police and Justice Sector serves as the legal foundation in the field. Therefore, the Directive will be the exclusive subject of interest in the section.

Moreover, by taking the security dimension of the study into consideration, emphasis is put on the character of EU counter-terrorism cooperation and strategy approaches. The section hence highlights the specific features and challenges prevalent in the field of law enforcement. In the past years, the EU has steadily adjusted the community law to encounter the altered conditions resulting from the effects of digitization. Especially the transformation process into a data-driven society has caused legal uncertainties and increased tensions between national security concerns and the respect to full protection of personal data. The strain on the relationship is primarily illustrated by security authority’s extension of surveillance practices on Information and Communication Technologies (ICT). This, in combination with enhanced cooperative partnerships, constitutes the main alignment of the contemporary European counter-terrorism strategy, which is emphasized in section 2.3.3.

2.3.1. Legislation on the Protection of Personal Data

When approaching EU data protection law, it is crucial to keep in mind that only information that falls under the definition of personal data is effectively protected (White & Case, 2017). As stated previously, the definition can be found in Article 4 GDPR and encloses any information relating to an identified or identifiable natural person. Accordingly, data that is not considered personal data is not protected under the regulations discussed in this section. Moreover, before emphasis is put on the principles emerging from EU legislation on the protection of personal data, the term “processing” must be clarified.

Processing essentially refers to all actions involving or affecting personal data to some extent. Article 4 GDPR provides a list of operations that fall under the scope of data processing and considers the collection, recording, organization, structuring, storage, adaption, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure or destruction of data.

The legislation on the protection of personal data was updated only recently causing significant change

in the field. Since the set of regulations entered into force on the 25 May 2018, the GDPR serves as key

policy regarding the protection of personal data in the private and large parts of the public sector. It

replaces Directive 95/46/EC and establishes a more ambitious standard of data protection. The

provisions of the GDPR are largely oriented towards strengthening citizens’ fundamental rights in the digital age and simplifying rules for enterprises in the digital single market (Commission, 2018a). For example, the GDPR refines some of the key terms in the field of data security enhancing the scope of protection for European citizens. Moreover, the GDPR is composed to be a EU Regulation, making it one single law immediately enforceable in all Member States. This results in increased uniformity amongst the European Community and less administrative burdens as separate implementation in the Member States’ national law is not required. In addition to the GDPR, the set of new regulations include Directive 2016/680 on Data Protection in the Police and Justice Sector, which is stressed in the subsequent section, as well as Directive (EU) 2016/681 on the Use of PNR data. The latter is subject of analysis in section 3.3 in chapter 3 of the study.

With the provisions of the GDPR, the EU has sharpened the data protection law considerably and correspondingly upheld respect for the fundamental right to privacy and data protection. Besides assigning rights to data subjects more extensively, for instance the right to erasure or the “right be forgotten” (Article 17 GDPR), it lists a revised version of five key principles for the governing of data proceedings in Article 5. These constitute an updated version of good practice guidelines for handling personal data (World Bank, 2018). According to the principles the data must be processed fairly, lawfully and transparent. Data may further be collected only for specific, explicit and legitimate purposes and processing is also required to occur in a manner compatible with the purposes. Moreover, data minimization refers to data being adequate, relevant and excessive in relation to the original purpose of collection. In terms of accuracy, data must relate to the purpose it was collected for. Hence, outdated data, that may have turned inaccurate over time, is required to be deleted. In addition, storage limitation ensures that data is not kept in a form which permits identification of data subjects for longer than necessary. Necessity is, in this context, defined according to the purpose underlying the collection of data in the first place. Lastly, data proceedings shall be characterized by integrity and confidentiality.

This comprises, more precisely, the level of security from unauthorized and unlawful processing as well as from additional factors such as damage. Altogether, data may be proceeded only in accordance with a minimum standard of legitimacy. So, to ensure the lawfulness of the process, each principle is required to be fulfilled.

With the updated provisions of the GDPR, the EU grants for consistency with the obligations deriving

from Human Rights frameworks and especially from Articles 7 and 8 CFREU, that have been discussed

previously (section 2.2). The principles listed in Article 5 on data proceedings do therefore correspond

with the on the principles identified for the protection of personal data, reflecting on the same

fundamental values. For example, the lawfulness, fairness and transparency requirement of data

proceedings is closely interlinked to the principle of transparency as applicant in data protection more

generally. The GDPR hence translates key values and principles enshrined in Human Rights into

European policy. The next section specifies these commitments on the basis of Directive 2016/680.

Because the potential impact data can have on the individual data subject is considerably high in the police and justice sector, data protection in the field is subject to specific regulations.

2.3.2. Directive 2016/680 on Data Protection in the Police and Justice Sector

Introducing the security dimension of the study, Directive 2016/680, also referred to as Law Enforcement Directive, is examined in the following. The Directive pursues a dual purpose as it aims on protecting citizen’s fundamental right to privacy and data protection whenever personal data is proceeded as well as facilitating information exchange between competent security and law enforcement authorities within the EU. In this regard, it has legal validity on all natural persons regardless of their nationality. Subsequently this section outlines how the specific obligations incorporated in Directive serve its objective to ensure compliance with European fundamental rights in the police and justice sector. The provisions relating to data transfers to third countries are not subject of this section, since they will be exclusively discussed in section 2.4, which emphasizes international data flows in the security field.

Directive 2016/680 provides a set of common rules applicable for data transfers performed for a purpose linked to combating crime or terrorism. This may, more precisely, include the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties. The rules established under the Directive apply not only to domestic data proceedings but also to cross-border transfers within the EU. With its entry into force in May 2018, the Directive repealed Framework Decision 2008/977/JHA, which was the first standard setting EU legislation on data protection in the field of law enforcement cooperation. Guaranteeing a high level of protection for fundamental rights and freedoms, especially with regards to privacy and data protection, the scope of application of the Framework Decision has nonetheless been limited to cross-border proceedings and did not regulate data transfers on Member State’s national level. Hence, with the new Directive a affects former gap in European legislation has been filled (Arthur Cox, 2016).

The objective of the legislators was to establish a legal instrument that would encounter technological developments and facilitate the conditions for law enforcement authorities to combat crime in the digital age more effectively and in compliance with present standards on data protection. With the CJEU’s judgments in Digital Rights Ireland and in the Schrems case, EU policy makers have been assigned with concreate guidelines on how to ensure the respect to fundamental rights in the security and law enforcement environment (Coudert, 2016). The new legislation is further expected to make data sharing at the EU and international level more efficient, to increase trust amongst competent authorities and to guarantee legal certainty across borders (Commission, 2016a).

With Directive 2016/680, the EU has yet directed principles to apply for law enforcement for the first

time. Article 4 of the Directive serves as appropriate legal base elaborating on these commitments. In

accordance with Article 5 GDPR, the respect to lawfulness and fairness of data transfers is highlighted

firstly. Due to the sensitivity and strategic value of information the field, transparency is however not

promoted. The additional provisions under Article 4 ensure legality, proportionality and necessity of data proceedings identical to the principles stated in the GDPR. All in all, European policy makers have with the Law Enforcement Directive successfully implemented a legal instrument which includes all EU internal police and judicial data processing activities under a common framework and at the same time maintains comprehensive respect to data protection rights within the EU.

2.3.3. The European Approach on Counter-terrorism

In this section the focus lies on the character of European counter-terrorism approaches. Since the 1970’s the European Member States have sustained cooperation in the fight against terrorism. Over the years, the character of the cooperation has developed from comprising national objectives primarily towards a transnational alliance against the evolving terrorist threat. With the Maastricht Treaty, counter-terrorism has formally been included within the EU regulatory framework in 1992. Pertaining to the sphere of judicial and police cooperation in criminal matters which is established in Cooperation in JHA under the third pillar of the Treaty, counter-terrorism cooperation was subject to intergovernmental methods.

Half a decade later, the entry into force of the Treaty of Amsterdam in 1997 and with it the introduction of the ASFJ have constituted the first key step in the direction of a more open stance in police and security cooperation. The 9/11 attacks then triggered a strategic rethink in the fight against the terrorist threat, which paved the way for the present character of cross-border cooperation. In the aftermath, the EU reinforced a new agenda on the threat by adapting a Framework Decision 2002/475/JHA on Combatting Terrorism as well as several action plans. It was however not until the incidents occurred on European territory in Madrid 2004 and London 2005, that counter-terrorism measures and instruments were put into decent formulation within the EU Counter-Terrorism Strategy, which has been subject of discussion in the introduction of the study. Prior to the mid-2000 events, the EU has primarily focused on internationally operating terror networks paying little attention to the possibility of domestic terrorism. Together with the concurrently adopted EU strategy for combating radicalisation and recruitment, the EU Counter-Terrorism Strategy postured a landmark in the European assessment of the threat within its border. Simultaneously, it illustrates the major concerns held by the EU and its Member States. Referring to the implementation of countering actions as “strategy” does further suggest greater consistency of the European approach in the fight against terrorism from 2005 onwards (Bakker, 2015).

Within the strategic framework, cooperative and coordinating measures are adopted on a large scale.

These do not only pertain to internal cooperation, but also to collaboration with international partners.

The European External Action Service lists joint efforts of the EU and the Member States for instance

in one line with third country partnerships for the effective integration of internal and external counter-

terrorism work (EEAS, 2016). Having developed into a separate policy domain within the EU, the

counter-terrorism strategy has become an integral element of the AFSJ. Cooperation between national

police and security authorities is however not only crucial in countering terrorism. The EU does, more

generally, reinforce joint action as a key instrument for addressing criminal matters within the AFSJ.

The appropriate legal basis for cross-border law enforcement is found in Title V of the TFEU. Within the scope of the legacy, administrative and operational assistance between the Member State has constantly been strengthened, resulting in enhanced cooperation on the European level. The EU-wide harmonization of national policies is however excluded according to the provisions of Article 84 TFEU.

This is because national security falls within the sole responsibility of the Member States (Article 4 TFEU). Therefore, consensus amongst Member States on a common agenda to fight terrorism does not equal a pan-European harmonization in the field (Edwards & Meyer, 2008). The engagement on the European level can rather be seen “as a complement to national efforts, where added value [is] possible and desirable.” (Coolsaet, 2010).

In addition to intensified cooperation, the respect to human rights and the rule of law constitutes another main pillar of the European strategic guidelines in countering terrorism. The EU Counter-Terrorism Strategy and the updated Terrorism Action Plan thus promote a criminal justice approach on fighting terrorism whilst protecting human rights. EU Counter-Terrorism Coordinator Gijs de Vries notes, that the fight against terrorism in accordance with the rule of law is essential for democratic states as to avoid overreaction and compliance with terrorists’ intentions to trigger extreme reaction on the European side (CVCE, 2007). The obligation to ensure fundamental rights is applicable within the Member States but also outside of the European borders, for example in countries receiving European support in addressing their domestic terrorism threat.

With regards to the digital age, special emphasis was assigned to privacy and data protection in

formulating counter-terrorism guidelines recently. With the transformation of ICT, law enforcement and

obligations on data protection become increasingly convoluted. According to the European Data

Protection Supervisor, the EU’s independent data protection authority, in a new political and legal

environment “the scale of collection, storage and cross-border exchange of personal data between

Member States in crime and terrorism matters is enormous.” (EDPS, n.d.). Moreover, contemporary

terrorism has become more digital too, relocating large spheres of their activity and communication to

the internet. Therefore, the threat is nowadays even more diverse and multifaceted which makes the

assessment increasingly complex. Encountering it effectively requires the EU to be exceedingly agile in

their security and law enforcement. Included in this is also to realize the full strategic potential of data

and information exchange, however within the boundaries of respective legal provisions. However, the

closer the EU and the Member States are cooperating with each other and third countries, the greater the

amount of personal data from EU citizens that is gathered, proceeded and retained. Considering the

extensive volume of the datasets retained by global law enforcement bodies, one may refer to the

accumulation as bulk data. Coincident with the enhanced collection of data, privacy concerns on

maintaining full respect to data protection standards have increased. As having argued before with

regards to law enforcement and countering terrorism, the EU is therefore in need to balance diverging

interests of public security on the one hand and privacy and data protection as civil freedoms on the

other. The European Data Protection Supervisor argues in this line by acknowledging the challenging